Okay, so if you read our last blog entry (Low-tech password management, part one) you know we are doing a quick little series on ways to be more secure online without going high-tech.  I have a pretty serious security setup, but most people I talk to really don’t want to be bothered.  This little blog series is the security series for them.  Last time, we talked about the “little black book” approach to storing password hints.  Does the idea of entering your password stuff into a book make you feel like Scrooge McDuck with his ledger?  If so, maybe we can shift gears.   How about channeling John LeCarre (yes, I know he isn’t actually dead) and going old-school Cold-war Berlin?  How about a variant of the never out of style….”book code.”  Wouldn’t it feel a lot better to be James Bond (or Modesty Blaise) than Scrooge McDuck? 

This is another kind of password approach that can work.  We are not actually going to create a book code, which is a way that two people can send encrypted messages between one another based upon page number, line number and letter number in a book.  We don’t really need to go that far for this exercise.  We are just going to create random passwords from book pages.  Fun, right? 

Look at your bookshelf.  Find a suitable book.  I like hardcovers for this.  Most of my personal library is digital now, but I still can’t bear to get rid of a respectable number of books, so I still have a bookshelf.  If you don’t have a bookshelf, (I am not judging) head over to your local used book store and find a handful of books that you think are interesting, but try to make sure one is pretty big.  War and Peace, Anna Karenina or Bleak House will all do nicely.  Used book stores are usually loaded with copies of those, because nobody ever finishes them, and people cannot bear to look at them.  It seems like the books are mocking you when you know you just can’t marshal the interest to get through them, so they get dropped off at used book stores, usually in virtually new condition.  You want a gently used book that looks seriously boring.  Remember—go for the hardcover if possible.

Then you divide the book up alphabetically, so that a certain number of pages are allocated to each letter. First, look at the names of the websites you presently use, and allocate the most space to the most popular first letters. Give yourself room to grow.  If you only regularly visit ten web sites, you could probably get away with James and the Giant Peach, but let’s aim a little higher.  You want to be able to allocate at least twenty pages per letter, so if you have lots of websites starting with M, you want to add twenty or so to however many you have.  You can probably allocate less to the more rare letters like Q, V, Y and Z.  If you are really obsessive you could alphabetize the web pages you visit pretty aggressively, but you don’t really need to.  Make a little index on the insides of the front and back covers, leaving space for new ones, and start assigning pages to them, in the page ranges you set for each letter, so if you allocated 20 pages to each letter, and you were in the middle of the “G” website listings, looking to file your login for “Gettyimages.com”, you might be on page 150.  You can see why I recommend War and Peace, right?  Just doing the simple math, if you allocate twenty pages per letter, each page representing one site, you need 520 pages to cover the alphabet.  I recommend you go bigger, because you don’t really want to outgrow the book.  You can reuse pages, or convert them to different sites, but for now let’s just start by getting a bigger book. 

Here is how this works.  Your book sits on the shelf near where your computer is.  It can go with you in a carry-on when you travel (just be really sure not to lose it). To build the password all you do is this:

1. Pick the page for the site—we will use page 150 of my book (Cloud Atlas, by David Mitchell—now another sad example of a brilliant and visionary work, rendered into something purely functional.)
2. Review the password policies of the site.  I am going to make up rules for my hypothetical login for Getty Images, using the fictional character of my last post, Jeffrey Killian.  Figure out what the username rules are, and whether they number and types of characters of the password are limited.  Let’s assume special characters are allowed, and the password must be less than 16 characters in total length.
3. Flip to page 150, look at your keyboard and pick a special character from the keyboard (that is allowed for the site) and put it at the top of the page.
4. Write the username for the site on the bottom of the page.
5. If you read our last blog on this, you know that we advocate a master password/site password approach so we take the total number of characters allowed (16), subtract the page number (3 characters for 150), subtract the length of the master password (Jeff Killian has “JDog3”, which is obviously 5 characters) subtract 1 character (for our special character (pretend it is the “*”)).  16-3-5-1=7.  We will write that on the top of the page, as a reminder.

We will generate a 7 character string from the first line of page 150.

6. Scan the first line of the page, underlining 7 characters, choose every other, every third, random characters, seven in a row…whatever you want. 
7. Now we assemble the password. 
   1. The master password is JDog3
   2. The page number is 150
   3. The symbol is *
   4. My seven characters were “ionsraj” all lower case.     I write them on the margin next to the first line.

The Password is: JDog3150*ionsraj

When that password expires, or the rules change, or you decide to change it…all you do is move to the next line, and repeat the process.  JDog3150*izedmed.  Or add an arbitrary character into the mix, if you want.   So when the time comes to remember your password, you pull down your trusty copy of War and Peace (or Cloud Atlas) from the shelf, look at the front cover, and get the page for Getty images, flip to the page, and voila! User name, password, all nicely recorded.  34 lines available to choose from means 34 password changes without a problem.  If that isn’t enough, you can surely find a way to double back.  Run down all the first letters on each line, all the second, whatever.  White out the recorded passwords and start again. 

Sounds like a lot of work, right?  I tried this system as a test run before righting this post, and it is actually not too bad once you do it a few times.   It does have a few advantages over the systems we talked about last time.  First, there is no need to really remember anything except the master password component, which prevents you having the mental roadblock that can happen (especially as we age).  If the password hint in the last blog was “What year did I buy my first car?” and you sit and look blankly at the computer, trying to decide if it was 1955 or 1956…well, that is really not that helpful a system.   If you wanted to have the passwords actually recorded in the little black book from the last post and sitting in your desk drawer… a burglar would thank you.  This system keeps the actual passwords at hand, in a way unlikely to be a big security risk, at least from the standpoint of being compromised by a stranger.  Seriously, what burglar snatching your computer is likely to say, hey…they have a copy of War and Peace!  Awesome, I have been trying to find that for years!  Seriously, people are paying to get rid of that.   I admit it is not foolproof.  Burglars are pretty smart, and they do rifle around, apparently.  This nefarious hypothetical burglar might spot the book’s unusual writing and be interested.  I admit it is possible, but it feels pretty unlikely to me. 

Where this system is an improvement on the black book with actual passwords, but not as good as the password hint approach we covered last time, is the security against those that share your space.  If you are in a situation where other people might have access to the book and know what it is, and if they are not people you would necessarily trust with your passwords, then think carefully about using this.  Antagonistic spouses, your kids and their friends, coworkers…there are a number of ways that this could become compromised.   Don’t advertise it, and try to keep it safe.  If you are in a situation where this isn’t secure enough, and the last round of choices didn’t suit that well either…just wait.  We have more to come. 

Before I sign off, I should observe that there is one benefit to this approach that I have not mentioned.  People looking in at your computer desk, and spotting a dog-eared copy of Bleak House will inevitably raise their eyebrows in admiration.  Did I mention that almost nobody can finish that?  You will be a rock star.  More to come, in the meanwhile, surf safely.

We will have many related posts on twitter, which will not be part of our blog, including curated material on this subject, follow Tom for updates!